The Linux Administration group is for the discussion of technical issues technical issues that arise during the administration of Linux systems, including maintaining the operating system and supporting end-user applications.

After verifying if and where your 'su' - command lives and adding it to
'PATH' one should consider that this command uses the 'pam'-service (i.e..
Pluggable Authentication Modules).
To check this out edit the '/etc/pam.d/su' file. For further Information
on 'pam' take a look at this page:

> Reply from wallacep on Jan 9 at 4:11 AM >To identify where su is try
> executing the following "find / -name su -print" This will tell you
> >where the su command is or if it is even on the machine.
> Regards,
> Wallace
>> > >

When I execute the following command I got : incorrect password - I know
the root password - I can log in as root but not su to root.
i think someone is changing something on me.
[testusers/]$ /bin/su
Password:
/bin/su: incorrect password
[testusers/]$ su
Password:
su: incorrect password
thanks,

Okay, based on that output, I'm pretty sure the presence and location of 'su' isn't the problem. The system can clearly find it. The problem here is that somehow the password is either screwed up or is being incorrectly entered.

Since you say you can login as root, you obviously know the root password. Be sure you are using this password, and not your normal user password, when using 'su'.

If this still doesn't work, then resetting root's password might fix it. To do this, log in as root, and then use the 'passwd' command to change root's password.

souky,
your verify output indicates the same thing that your ls -l /bin/su does
the owner & group has changed from that which the system coreutils provides
also the mode has changed, not good either (but possibly altered by you)

You are unable to su to root because the ownership and permission of the executable /bin/su.
Ownership and group must be root:root. Furthermore the permissions must have the suid bit set, so whomever runs the command runs it as root. This is important since the /etc/shadow file (where the password is stored) is owned by root and only root has read permission.

Tripwire, AIDE, etc. are great for ensuring system integrity IF you establish baseline immediately after setting up system AND update the database each time you perform system updates.

Once the system has been hacked it makes no sense to then establish security baseline.

George's suggestion to run verify is good because it is based on original system config and the results show that system binaries have been messed with putting a user into sudoers is yet another poor workaround to a hacked system.

Your only hope at this point is for a buddy to admit that they have been "experimenting" with the system, show you all that they did and reverse those changes.

Personally I would not trust anything said by someone that would admit to such shenanigans.

Yes, sorry :) My assumption (I know, I know :) was that everyone have that security baseline. My past site used AIDE and we cronned a daily AIDE run to check for changed files. From the description, it looked like an inexperienced person with root access was "experimenting" with commands (very likely more) etc on that system.

Yes, like you, I won't trust this system, and would very likely do a complete rebuild with an extra "eye" to security, if the integrity of the system can't be verified.

I have to agree with astroboy here. The fact that someone other than root owns 'su' is pretty clear indication that your system has been compromised. You could easily log in as root and reclaim ownership of 'su', but God only knows how many other nasty "gotchas" are hiding in your system now. Your best bet, at this point, is to wipe your drive and reinstall. If you've been making routine backups, then restore back to the point where you were last able to successfully use 'su'.

Yes, I agree with astroboy's assessment as well. I personally prefer a rebuild, especially if there is no tripwire/AIDE security baseline to verify the system's integrity. In addition, a scan for SUID pgms in the users' space (/home).

Excellent thread. It certainly looks like a compromised system. A rebuild is probably prudent but consider making this box a honeypot. It has already been targeted, if you isolate it you may turn the tables on your intruder.

george via linuxadmin-l wrote:
>
>
> psouky
>
> you should be able to verify the integrity of the version of su by using
> the --verify option on rpm. su comes in the coreutils package, so the
> following should do it:
>
> rpm --verify coreutils
>
> I believe for su to properly log you in as root, it has to be setuid - if
> you do a ls on /bin/su, you should see :
> -rwsr-xr-x 1 root root 34904 Dec 7 16:51 /bin/su
>
> I have seen some systems where su is not setuid and you can invoke "root"
> via sudo - ie :
> sudo su -

I would recommend getting a cp of 'su' from a like machine, copy it to
the existing machine and then use it to 'su'. You'll need to set the
perms properly. Copy it to somewhere other then /bin/, say /tmp

Then see if it works. If it does, you were likely hacked and need to
reinstall.

I would not bother. If you'll note below, the OP has identified two
problems. The /bin/su binary is not owned by root and root group.
Also, it is not setuid. Regardless of whether the password is corrupt
or not, /bin/su will not work.

I can confirm that 28336 is the size of su on my centos 5.7 machines if
that is any comfort.

You may also want to run : rpm -v -a

This will verify the current state of the system against the original rpm
installating - some files are normal to show as modified, such as config
files etc, but be on the look out for any binary (ie - inside /bin,
/usr/bin, /sbin, etc...) that also shows as modified.

Some root kits will install a modified version of 'ps' which is configured
to hide certain background processes. Also check out your /tmp and see if
there is anything wonky in there.

To the OP, was there a restore of the su utility from an archive?
If yes, was the restore done by someone other than root?
If yes to both, that may be why the ownership, group and permissions
are now incorrect.

Dcmartin via linuxadmin-l wrote:
>
>
> To the OP, was there a restore of the su utility from an archive?
> If yes, was the restore done by someone other than root?
> If yes to both, that may be why the ownership, group and permissions
> are now incorrect.

A restore by a non-root user would not be able to overwrite the existing
/bin/su because of permissions.

Honeypots are for research purposes, never on a business network.
If you're not in the security business, you have no business hosting a
honeypot.

If someone compromises my production network, you can bet I'd want to know who and how if at all possible. Having a known compromised Linux machine is not at all like a kludged up Windows desktop.
In any case, while I appreciate your opinion (as it clearly has landed with full force on this thread) it's a bit over the top saying I have no business hosting a honeypot or doing anything else for that matter.

No, because only root can write to the /bin directory. If you're Dan
user is able to write to the /bin/Test directory, then your umask for
root is an insecure setting. No user should be able to write to a
directory that was created by root, unless root specifically opened the
directory for such purposes. You're example above, where Dan can write
to /bin/Test indicates that either you did not test this scenario, or if
you did, your umask for root is set to an insecure setting.

DACREE via linuxadmin-l wrote:
>
>
> Honeypots are for research purposes, never on a business network. If
> you're not in the security business, you have no business hosting a
> honeypot.
>
>
> If someone compromises my production network, you can bet I'd want to
> know who and how if at all possible. Having a known compromised Linux
> machine is not at all like a kludged up Windows desktop.

I don't care who. I do care how. I will fix it and move on. Figuring
out who is going to take more time then it is worth.

> In any case,
> while I appreciate your opinion (as it clearly has landed with full
> force on this thread) it's a bit over the top saying I have no
> business hosting a honeypot or doing anything else for that matter.

Okay, from a security standpoint, you should never host a honeypot on a
business network unless you are in the business of system/network security.

That's your method and your recommendation. And that is all it is. Try to remember that not everyone thinks and operates the way you do.

The system is already compromised but there may be further security issues. By isolating the system and tracking the attackers actions, you may find out you have more problems that you knew existed.

If we follow your advice, the system is repaired and secure but your other systems and hardware may also be compromised and you may never know.

I'm fairly confident that (and anyone who solely does security for a living can chime in here) re-installing the system and ignoring the fact that you had been compromised is a mistake. Willfully remaining ignorant of the scope of an attack is a poor security model.

DACREE via linuxadmin-l wrote:
>
>
> That's your method and your recommendation. And that is all it is.
> Try to remember that not everyone thinks and operates the way you do.

From a business standpoint, unless you are in the security business,
there's no way to justify a honeypot on your network.

If I'm making widgets, and I try and propose the use of a honeypot on my
network, the people who right the check are going to ask me to justify
the purpose.

Secure your network and be done with it. Yes, this is my opinion, but
it is also the opinion of a number of security experts. Do your research.

>
>
> The system is already compromised but there may be further security
> issues. By isolating the system and tracking the attackers actions,
> you may find out you have more problems that you knew existed.

As I noted, the proper solution is to reload the system. This will most
definitely remove all known and unknown exploits.

>
> If we follow your advice, the system is repaired and secure but your
> other systems and hardware may also be compromised and you may never
> know.

Reload the known system, check others. Standard procedures.

>
> I'm fairly confident that (and anyone who solely does security for a
> living can chime in here) re-installing the system and ignoring the
> fact that you had been compromised is a mistake. Willfully remaining
> ignorant of the scope of an attack is a poor security model.

I did not even address that issue, I was addressing the specifics of
this one system. I absolutely agree you need to check other systems on
the network.

Setting this system up as a honeypot is foolish for a number of reasons.
Just as you have noted, it's been compromised and you don't know what
all exploits may have been installed on the system.

Honeypots are created from scratch, not from an existing exploited system.

As you've noted, consult ANY network/system expert and they will tell
you the same. You don't try to create a honeypot from an exploited
system. You create a honeypot from scratch as it is a very dangerous
thing to have you your network if you don't know what you are doing.

Thank you,
I will try that and see if it does work. I love the safety concern you have as it is only too true. When I first installed this Linux into our computer it did have Windows 7 in it as this is what the machine had in it when my husband got it as a gift for me. As soon as I got my hands on Ubuntu and Foxfire as a combination and registered the computer itself with the Windows which had the registry papers form in their documents files so all my hardware is protected by my warranty, I totally removed Windows and sold it back to the company that had made an awesome computer that I could not have built for the price they had sold it for. Several times over the last 17 years I have built computers from scratch to get the systems I wanted for less money. So I knew reading the hardware info I was getting at least 3 times the hardware price with Windows 7 inside it. It wasn't making full sense. Even less when I read the separate info from the computer company inside the computer itself. If I wanted to sell back my Window 7 back up original discs as well as the numbers for it they paid me $200 for that. My Gift Computer would have cost me at least between $1200 to $1500 depending where I bought the very same name brand parts. This computer was on a special Christmastime sale and my Husband paid $499 plus state sales tax. I knew he was getting a great deal. I don't believe the makers had any respect for the new owners of 7 to take such a loss as they did for these new machines.
Years back when Bill Gates created Microsoft I swore by it. You bought this software and it was yours, PERIOD. With the new Microsoft and 7 and Mr. Gates gone it's nothing I will have in any computer I own as you never fully own Windows 7 as they now maintain rights in this software. To be the lady my mother tried to raise here I will say simply The Sons of Brats ( not the exact word I would prefer to use) are tampering with things they have no right to except there is a tiny clause you can't see until you're on line that they do maintain partial rights to 7 and have the right to remove any " Rouge " software and also remove the warranty rights to their soft ware. My Husband and I actually watched them do this after I first updated the HP all in one printer software from Hp as if the made the hardware they would have the correct update software. Eight times I downloaded the soft ware. Every time I started the install Microsoft stopped it and replaced it with theirs. The $259 dollar top of the line only worked like it was a $50 dollar cheap printer. I wrote to them and informed them that I didn't want then updating Hardware that was not theirs. The next day my husband and I watched them after I once more downloaded the correct software, scan this computer + remove your program and the HP software again. I was treated to a special pop up informing me that as I was running an illegal software program on this computer there by I voided their Eula and Hubby and I both watched as the printer and computer became a set of paperweights. I have a real bitter taste in my mouth and do recommend this program to all our Friends and Family. Thank you for respecting people enough to warm us about the danger we might have walked into. I like that you are honest and respectful. It means a lot to an elderly woman as I am to know that you did this in such a nice way.
God Bless you, Weezie Begin